Health Care Breach Watch: May 2015 HIPAA breach notifications

There seems to have been a glut of HIPAA breach notifications recently. Here’s a round-up of the latest health care information breaches to hit HIPAA covered entities across the United States in May.

Holston Valley Medical Center – 1,726 patient records

Holston Valley Medical Center in Tennessee has informed 1,726 patients that their medical records were discovered on March 1 to have been inappropriately disposed of in a recycling bin by a nurse, who has subsequently resigned. Wellmont Health Systems, which runs the medical center, said in a statement that the notes “were not part of any patients’ legal medical record and were never in a public area before they were placed in the recycling bin. Holston Valley and Wellmont did not authorize these notes, their retention or their disposal at Steele Creek”.

The MetroHealth System – 981 patient records

Ohio-based MetroHealth System is notifying 981 patients who received cardiac catheterizations that three of the computers in its Cardiac Cath Lab, which held their medical records, were infected with malware. Cleveland.com reports that the malware was discovered on March 17 and “affected patients who had procedures in the lab between July 14, 2014 [and] March 21 of this year. […] In investigating the breach, the health system found that a business associate disabled antivirus software on the computers to facilitate a software update. There is no evidence that any health information was accessed”. Affected information included patients’ names, dates of birth, heights, weights, medications administered, medical record numbers, case numbers, and raw data such as tracings of EKG and oxygen saturation.

UT Southwestern Medical Center – 1,032 patient records

The Dallas Morning News reports that, from January 9 this year, the University of Texas Southwestern Medical Center accidentally transmitted the immunization records of 1,032 individuals to the ImmTrac immunization database – a confidential state registry used by the Texas Department of State Health Services to monitor immunizations. The medical center blamed “a computer glitch” for the “inadvertent transmission” of the records, and has informed affected patients.

Orlando Health – 68 patient records

According to a WFTV news report, Orlando Health informed 68 patients that their personal health care information – including medical record numbers, account numbers, names, and diagnoses – had been found in a neighborhood driveway. The list was accidentally taken home by an employee, who then lost it. Orlando Health told WFTV:

“The privacy and security of our patients’ health information is a top priority for us. We conducted a thorough investigation of the incident and found no evidence of malice or intent.

“Out of an abundance of caution, we sent letters to the 68 patients who appeared on the list to notify them of the incident and reassure them we do not believe any harm is likely.”

This is not the first time Orlando Health has faced a data breach. Last year, it lost a flash drive containing the patient information of 586 children treated at the Orlando Health Arnold Palmer Medical Center, and in 2011 it fired three employees for inappropriately accessing patient information.

University of Pittsburgh Medical Center – 2,259 patient records

A former employee of medical billing company Medical Management LLC – a business associate of the University of Pittsburgh Medical Center (UPMC) – has been accused of copying “personal information from the billing system” for nearly two years and disclosing that information to a third party. 2,259 UPMC patients have been notified by letter that their information, including names, dates of birth, and Social Security numbers, may have been compromised. A UPMC statement notes that “[there] is no evidence that information about medical histories or treatments was disclosed.”

This is not the first time UPMC has faced a data breach either: last year, criminal hackers stole a database containing the personal information of all 62,000 of UPMC’s employees.

CareFirst– 1.1 million patient records

CareFirst BlueCross BlueShield has confirmed a cyber attack affecting “limited personal information” on a patient database. In June 2014, criminal hackers “gained access to a single database” and “could have potentially acquired member-created user names created by individuals to access CareFirst’s website, as well as members’ names, birth dates, email addresses and subscriber identification number. […] The database accessed by attackers contained no member Social Security numbers, medical claims, employment, credit card, or financial information.”

Indiana State Medical Association – new information

Meanwhile, more details have emerged about the Indiana State Medical Association (ISMA) breach I blogged about in March. According to a report in The Star Press, an “information technology administrator” left “a laptop computer and two hard drives storing the Social Security numbers, medical histories or other personal information of 39,090 people” in his car for two-and-a-half hours. They were stolen. “[Police] quoted the administrator as saying he thought he had locked his car but found no damage or marks on it when he discovered the theft.”

ISMA’s official statement claimed that the theft occurred when the hard drives “were being transported to an offsite storage facility in accordance with ISMA’s disaster recovery plan.” Spokeswoman Marilyn Carter “declined to comment on the police report”.

A Vormetric study found that “26 percent of healthcare respondents reported that their organization had previously experienced a data breach” and a recent Ponemon Institute report found that criminal attacks are the most common cause of health care data breaches. “Criminal attacks on healthcare organizations are up 125% compared to five years ago”, Ponemon notes, and “45% of [breached] healthcare organizations say the root cause of the data breach was a criminal attack”.

HIPAA covered entities that are concerned about data security should implement an information security management system (ISMS), as specified by the international best-practice standard ISO 27001.

By virtue of its all-inclusive approach, ISO 27001 encapsulates the information security elements of HIPAA by providing an auditable ISMS designed for continual improvement.

It is often the case that companies will also achieve compliance with a host of other related legislative frameworks simply by achieving ISO 27001 registration. In addition to this, the external validation offered by ISO 27001 registration is likely to improve an organization’s cybersecurity posture while providing a higher level of confidence to customers and stakeholders – essential for securing certain global and government contracts.

IT Governance’s ISO 27001 Packaged Solutions provide fixed-price ISO 27001 implementation resources and consultancy support for all organizations, whatever their size, sector, or location, from under $600.

Civil monetary penalties (CMPs) for HIPAA violations can be as much as $50,000 per compromised record, up to an annual maximum of $1.5 million, and criminal penalties can incur fines of up to $250,000 and ten years’ imprisonment.

By my reckoning, these breaches bring the number of potentially compromised patient records admitted so far this year to 124,424,852. For more information on the year’s other health care data breach notifications and HIPAA violations, click here, here, here, here, here, here, and here. And if you know of an incident that I’ve missed, do let me know in the comments below.